.NET形式身份验证问题
-
11-10-2019 - |
题
我正在MVC.NET中的自定义登录页面上工作。我会检查登录名:
public bool Login(string login, string password, bool persistent)
{
var loginEntity = this.AdminRepository.GetLogin(login, password);
if (loginEntity != null)
{
FormsAuthentication.SetAuthCookie(login, persistent);
HttpContext.Current.Session["AdminId"] = loginEntity.AdminId;
HttpContext.Current.Session["AdminUsername"] = loginEntity.Username;
return true;
}
然后,我装饰任何需要使用过滤器属性的管理员访问的控制器:
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
var ctx = HttpContext.Current;
// check if session is supported
if (ctx.Session != null)
{
var redirectTargetDictionary = new RouteValueDictionary();
// check if a new session id was generated
if (ctx.Session.IsNewSession)
{
// If it says it is a new session, but an existing cookie exists, then it must
// have timed out
string sessionCookie = ctx.Request.Headers["Cookie"];
if (((null != sessionCookie) && (sessionCookie.IndexOf("ASP.NET_SessionId") >= 0)) || null == sessionCookie)
{
redirectTargetDictionary = new RouteValueDictionary();
redirectTargetDictionary.Add("area", "Admin");
redirectTargetDictionary.Add("action", "LogOn");
redirectTargetDictionary.Add("controller", "Home");
filterContext.Result = new RedirectToRouteResult(redirectTargetDictionary);
}
} else if (SessionContext.AdminId == null) {
redirectTargetDictionary = new RouteValueDictionary();
redirectTargetDictionary.Add("area", "Admin");
redirectTargetDictionary.Add("action", "LogOn");
redirectTargetDictionary.Add("controller", "Home");
filterContext.Result = new RedirectToRouteResult(redirectTargetDictionary);
}
}
base.OnActionExecuting(filterContext);
}
我看到登录后,我有两个cookie:
- ASPXAUTH(有效期将日期设置为“会话结束”(当持续时间为false)或(从现在开始30分钟(当持续时间设置为true时)
- 和asp.net_sessionid,哪个到期时间始终是“会议结束”
问题:问题是,即使我设置为“持续”选项(即将设置Aspxauth到期时间从现在开始30分钟 - 很好)我的会话[“ adminid”]在我关闭并重新打开浏览器后始终是无效的。当我最初确实将“持续”设置为true并关闭,然后重新打开Browswer窗口时,如何确保我的会话(sessions [“ adminid”]和session [“ adminusername”])将从cookie中撤出。谢谢
解决方案 2
我在这里找到了我的解决方案:是否可以将.aspxauth用于我自己的记录系统?
这就是我所做的:
public class SessionExpireFilterAttribute : ActionFilterAttribute
{
/// <summary>
/// Controller action filter is used to check whether the session is still active. If the session has expired filter redirects to the login screen.
/// </summary>
/// <param name="filterContext"></param>
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
var ctx = HttpContext.Current;
// check if session is supported
if (ctx.Session != null)
{
// check if a new session id was generated
if (ctx.Session.IsNewSession)
{
var identity = ctx.User.Identity;
// If it says it is a new session, but an existing cookie exists, then it must
// have timed out
string sessionCookie = ctx.Request.Headers["Cookie"];
if (((null != sessionCookie) && (sessionCookie.IndexOf("ASP.NET_SessionId") >= 0)) || null == sessionCookie)
{
var redirectTargetDictionary = new RouteValueDictionary();
redirectTargetDictionary.Add("area", string.Empty);
redirectTargetDictionary.Add("action", "LogOn");
redirectTargetDictionary.Add("controller", "User");
filterContext.Result = new RedirectToRouteResult(redirectTargetDictionary);
}
// Authenticated user, load session info
else if (identity.IsAuthenticated)
{
var loginRepository = new LoginRepository(InversionOfControl.Container.Resolve<IDbContext>());
IAuthenticationService authenticationService = new AuthenticationService(loginRepository);
authenticationService.SetLoginSession(identity.Name);
}
}
else if (SessionContext.LoginId == null)
{
var redirectTargetDictionary = new RouteValueDictionary();
redirectTargetDictionary.Add("area", string.Empty);
redirectTargetDictionary.Add("action", "LogOn");
redirectTargetDictionary.Add("controller", "User");
filterContext.Result = new RedirectToRouteResult(redirectTargetDictionary);
}
}
base.OnActionExecuting(filterContext);
}
}
其他提示
有到期时间的饼干将写入磁盘。因此,如果cookie尚未过期,则将在下次打开浏览器时仍将登录。
会话cookie仅存储在内存中,并且一旦浏览器关闭,就会丢失。
会话cookie是没有到期日期的cookie。
不隶属于 StackOverflow